@Info Policy: E-government + Microsoft = Passport to trouble?

By Robert Gellman

May 30, 2002

Robert Gellman

How does your agency identify people online? I am not talking only about user names and passwords. I mean real authentication and authorization. Agencies need to be sure who people are before conducting business with them online.

Word recently floated out of the Office of Management and Budget that officials there were considering Microsoft Corp.'s Passport as a way to authenticate Web site visitors. Passport creates a sign-in name and password for use across many participating sites.

The core of the system is a common Internet authentication mechanism. Users give friendly old Microsoft personal information, and Microsoft doles it out on demand to the Web sites on their behalf. Users save keystrokes, and companies can authenticate customers more easily. Passport is even free.

What's in it for Microsoft? Only complete access to all your personal and transactional information. Microsoft has a modest goal. According to documents that emerged during its federal antitrust lawsuit, the goal is to have the 'largest and most extensive database of profiles on the planet.' Reassured? Me neither.

Evidence suggests that most people who signed up for Passport were forced to if they wanted access to Microsoft's or other online services. Many people don't even know that they are in Passport.

What does the privacy community think? Even before the government angle arose, the Electronic Privacy Information Center complained to the Federal Trade Commission that Passport was an unfair and deceptive trade practice. The argument is that Passport exposes consumers to the possibility that their online browsing and shopping activities will become the subject of profiles that Microsoft can maintain, use and sell for its own purposes.

So what happens if the federal government decides to work with Microsoft to collect and maintain information on all 285 million Americans? Imagine marrying the government's extensive personal records with Microsoft's planned database. Is this a real idea?

Let's follow it a step farther. If Microsoft becomes a government contractor for online authentication, guess what happens. The Privacy Act of 1974 applies. The act is the government's basic internal privacy law, and it covers some government contractors.

Whoever provides authentication services for the government will likely have to comply with the fair information practice requirements of the act. If that is the case, watch Microsoft run the other way. I conclude that the whole idea of hiring Microsoft to handle online government authentication didn't get more than five minutes of advance thought.

Authenticating users will be necessary for government online services. The authentication process has the potential to generate reams of highly revealing transactional and other records about individuals. Privacy will require attention no matter who runs the authentication system, and it won't be easy. Handle privacy poorly, and no one will use the system.

Casual government alliances with Microsoft are not going to do much to engender confidence from the American public. Why start out working with someone that so many people don't trust?

Robert Gellman is a Washington privacy and information policy consultant. E-mail him at rgellman@cais.com.